The content of this page has been automatically translated by AI. If you encounter any problems while reading, you can view the corresponding content in Chinese.
1. Log in to the CFW console, in the left navigation bar, select firewall switch > Inter-VPC toggle.
2. On the Inter-VPC switch page, click firewall instance, enter the firewall instance page, and click create firewall.
3. In the create inter-VPC firewall pop-up window, enter the instance name, select Virtual Private Cloud Mode, and click Next.
Parameter description:
Instance name: The name you customize when creating a firewall instance.
mode
Virtual Private Cloud mode: Select the Virtual Private Cloud VPC to connect to the firewall and implement route redirection by modifying the route table of the Virtual Private Cloud.
Cloud Connect Network mode: Select the Cloud Connect Network CCN to integrate with the firewall (multi-route table mode is required), and implement route redirection by changing the Cloud Connect Network route table.
SASE mode: The feature is in limited-time beta test. If you need to use it, please submit a ticket.
VPC mode (CDC): Consistent with the VPC mode, available only in CDC environment.
4. Fill in the firewall instance name and region, configure disaster recovery information, set the firewall instance bandwidth specification and access network, click Next. If the quantity of instances does not meet needs, click on the right
to create firewall instances.
Parameter description:
Region: The region to which the protected VPC belongs.
Remote Disaster Recovery: The inter-VPC firewall supports remote disaster recovery, which can be enabled by checking the box.
Availability Zone: Select an appropriate availability zone based on your needs.
Instance bandwidth: Currently, a single instance has a minimum of 1 Gbps and a maximum of 20 Gbps (the console allows configuration with a maximum support of 5 Gbps; for exceeding this, submit a ticket for assessment). Scaling-out is supported. If the maximum bandwidth is not satisfied, multiple firewall instances can be created for traffic diversion. However, note that each firewall instance has its own throughput limit. For multiple firewall instances, ensure that a single instance is within its throughput limit.
Instance connection: Click Access Network, select the required VPC based on the region of the VPC to be connected, and click Confirm.
Notes:
Each VPC can only connect to one instance.
The firewall cannot establish connections within the underlying network. Before connecting the network, ensure that peering links or Cloud Connect Networks have been created between the VPCs. If there is no established connection between the VPCs, the connection will not be effective, and the firewall switch will not be available.
Each firewall instance can only connect to VPCs within the same region. Each instance can connect to a maximum of 10 VPCs and supports the creation of multiple firewall instances within the same region. It is recommended to plan the VPCs that need to be connected according to their regions in advance. Then, create the firewall instances and proceed with network connections.
5. Configure the traffic redirection subnet, firewall VPC, and routing mode. Once confirmed, click Create.
Notes:
Complete the configuration. The creation process will take several minutes. Wait patiently.
Parameter Name
Description
Traffic Redirection Subnet Configuration
The Cloud Firewall will create subnets of a /24 IP range in the VPC you connect to, which will be used to redirect traffic to the firewall. You can choose different methods for creating this subnet. The traffic redirection subnet cannot be modified after the firewall is created.
Preferred Own IP Range: The Cloud Firewall will automatically select an available subnet range within the chosen VPC. If there are no subnet quotas available within the VPC, we will use the expansion IP range of the selected VPC.
Prefer Extended IP Range: The Cloud Firewall prioritizes using available reserved extended IP ranges within the VPC. In this mode, it does not occupy the subnet quota of the selected VPC. Among them, an extended IP range refers to a secondary IP range in a private network. For more information, see Private Network - Edit IPv4 CIDR.
Custom: You can customize the subnet range for the firewall, ensuring it is a /24 IP range. The custom IP range must belong to the current VPC's CIDR, such as 192.168.0.0/24.
Firewall VPC
It is used to establish network communication between firewall instances. You need to create a new firewall-specific VPC in each region of the selected VPC.
Automatic Selection: The firewall will automatically create a /20 IP range VPC that does not conflict with the connected VPC.
Custom: Enter a /20 VPC that does not conflict with the planned network, such as 192.168.1.0/20.
routing mode
The traffic redirection scheme for the firewall switch. Different methods of network interconnection determine the mode of the firewall switch and routing redirection. It is recommended to choose based on your business network model.
Single-Point Interconnection: Suitable for a small quantity of VPCs with a simple network topology. The switch mode is VPC-to-VPC, and in this mode, a firewall switch will be generated for each reachable path between the VPCs.
Multi-Point Interconnection: Suitable for a larger quantity of VPCs with a simple network topology, such as a star network topology. The switch mode is single VPC, and in this mode, access between VPCs will be controlled by two switches.
Full Interconnection: Suitable for a large quantity of VPCs with a complex network topology, such as a mesh network topology. The switch mode is all VPCs, and in this mode, there will be only one firewall switch used to control the routing of all VPCs.
Custom routing: You can refer to the custom routing configuration guide. After completing the creation of the firewall, you can self-configure the routing. In this mode, there will be no firewall switch.
Note: When selecting multiple regions, only custom routing is supported. Please refer to the console to verify the availability of specific routing modes.
CCN Mode
Notes:
Starting from July 1, 2023, the CCN service will charge for network instances and inbound traffic processing. The CFW requires creating a dedicated firewall VPC in your integrated CCN instance for traffic diversion, which may incur certain fees. For details, see CCN Commercialization Announcement.
1. Log in to the CFW console, in the left navigation bar, select firewall switch > Inter-VPC toggle.
2. On the VPC switch page, click firewall instance, enter the firewall instance page, and click create firewall.
3. In the create inter-VPC firewall pop-up window, enter the instance name, select CCN Mode, and click Next.
4. Click Select, choose the CCN instance to join the VPC firewall according to the prompts, and click Confirm.
Notes:
The CCN instance needs to support multi-route table mode. If this requirement is not met, please contact the CCN to enable the multi-route table feature.
CCN mode supports creating an inter-VPC firewall in a specified region.
CCN mode: A firewall can only bind to one CCN instance.
5. After selecting a CCN instance, the available regions will be automatically generated based on the VPCs connected to the CCN. If you check a region, a firewall instance will be created in the selected region. You can configure the firewall instance name, whether cross-region disaster recovery is required, and the instance bandwidth specification, then click Next.
Parameter description:
Region: The region to which the protected VPC belongs.
Notes:
If only one region is selected for deploying a firewall instance, all inter-VPC traffic with the firewall toggle enabled will pass through the firewall instance in that region. Suitable for business networks with a star topology structure.
If all regions are selected for deploying firewall instances, the inter-VPC traffic with the firewall toggle enabled will pass through the firewall instance in the local region. This is suitable for business networks with a mesh topology structure.
After selecting multiple regions, only custom routing is supported.
Remote Disaster Recovery: The inter-VPC firewall supports remote disaster recovery, which can be enabled by checking the box.
Availability Zone: Select an appropriate availability zone based on your needs.
Instance bandwidth: Currently, a single instance supports a minimum of 1 Gbps and a maximum of 20 Gbps (console allows configuration with a maximum support of 5 Gbps; for exceeding limits, submit a ticket for evaluation). Supports scale-out. If the maximum bandwidth is insufficient, create multiple firewall instances to divert traffic.
Notes:
Each firewall instance has its own throughput limit. For multiple firewall instances, please confirm that the single instance is within the throughput limit.
6. Configure the new traffic redirection private network and routing mode. Once confirmed, click Create.
Notes:
Complete the configuration. The creation process will take several minutes. Wait patiently.
Parameter Name
Description
Create a traffic redirection private network
The cloud firewall will create a private network in the 20 network segment within your selected CCN instance to redirect traffic to the firewall. You can choose different ways to create the private network.
Automatic selection: The CFW will automatically detect idle /20 VPC IP ranges for traffic diversion.
Custom: You can customize the VPC IP range for the firewall, ensuring it is a /20 IP range. For example, 192.168.1.0/20.
Starting from July 1, 2023, the CCN service will charge for network instances and inbound traffic processing. The CFW requires you to create a dedicated firewall VPC in your connected CCN instance for traffic diversion, which may incur certain fees. For details, see CCN Commercialization Announcement.
Routing Mode
The traffic redirection scheme for the firewall switch. Different methods of network interconnection determine the mode of the firewall switch and routing redirection. It is recommended to choose based on your business network model.
Single-Point Interconnection: Suitable for a small quantity of VPCs with a simple network topology. The switch mode is VPC-to-VPC, and in this mode, a firewall switch will be generated for each reachable path between the VPCs.
Multi-Point Interconnection: Suitable for a larger quantity of VPCs with a simple network topology, such as a star network topology. The switch mode is single VPC, and in this mode, access between VPCs will be controlled by two switches.
Full Interconnection: Suitable for a large quantity of VPCs with a complex network topology, such as a mesh network topology. The switch mode is all VPCs, and in this mode, there will be only one firewall switch used to control the routing of all VPCs.
Custom Routing: You can refer to the Custom Routing Configuration Guide. After completing the creation of the firewall, you can manually configure the routing. In this mode, there will be no firewall switch.
Note: When selecting multiple regions, only custom routing is supported. Please refer to the console to verify the availability of specific routing modes.
Instance Specification
Instance specification tier table for VCP inter-firewall.
Notes:
The instance specifications of the inter-VPC firewall and the quota of the intranet rule list are independent of each other, not involving billing logic, and cannot be expanded separately. You can only achieve this by upgrading the instance specifications. For every ACL you configure in the console, we will automatically convert it into specific rules according to the issued formula, automatically identify the access source and access destination, and deliver it to the specified inter-VPC firewall instance.
Issued formula: Number of rules issued = Number of source addresses × Number of destination addresses × Number of ports × Number of protocols.
The specification of the inter-VPC firewall instance determines the maximum number of ACL rules that each inter-VPC firewall instance can handle. When the number of ACLs issued is excessive, it may lead to instability in the engine.
To avoid disrupting your business, we recommend that you reasonably optimize rules based on the specifications of each instance and the number of issued rules, reduce the proportion of redundant rules, and enhance engine stability.
Specification Tiers
Minimum Bandwidth / Mbps
Maximum Bandwidth / Mbps
Rules Quota / Items
1
100
1,023
5,000 (This gear selection does not include intrusion prevention)
